eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/reference/services/zot.md
Erich Blume 55d31c9c0b Docs pass: update zot Mikado chain for completion 
- harden-zot-registry: fix Authentik hostname, check off all
  verified items, add metrics config to "what was done"
- enforce-tag-immutability: fix admins permissions (was missing
  update)
- agent-change-process: clarify that requires: is permanent and
  status: active is the only completion marker
- zot reference: update modified date
- wire-ci-registry-auth fragment: add metrics fix
- Remove stale harden-zot-mikado-cards.ai.md planning fragment

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-21 15:32:34 -08:00

2.2 KiB
Raw Blame History

title modified tags
Zot 2026-02-21
service
registry

Zot

OCI-native container registry providing pull-through cache and private image storage.

Quick Reference

Property Value
URL https://registry.ops.eblu.me
Local Port 5050
Data ~/zot
Config ~/.config/zot/config.json
LaunchAgent mcquack

Namespace Convention

Path Source
registry.ops.eblu.me/docker.io/* Cached from Docker Hub
registry.ops.eblu.me/ghcr.io/* Cached from GHCR
registry.ops.eblu.me/quay.io/* Cached from Quay
registry.ops.eblu.me/blumeops/* Private images

Pull-Through Cache

When cluster pulls an image, containerd checks zot first. If cached, returns immediately. If not, zot fetches from upstream, caches it, then returns.

Security Model

OIDC authentication via authentik, with API key support for CI. Three-tier access control:

Role Permissions Use case
Anonymous read Pull images without auth
artifact-workloads group read, create CI push (new tags only, no overwrite/delete)
admins group read, create, update, delete Break-glass admin access

CI authenticates with a zot API key generated from the zot-ci service account's OIDC session. The key is stored in the Forgejo Secrets 1Password item (field zot-ci-api) and synced to Forgejo Actions secrets via ansible.

API Key Rotation

The zot-ci API key expires every 90 days. To rotate:

  1. In Authentik admin UI, impersonate the zot-ci user
  2. Visit https://registry.ops.eblu.me — you'll land on the login page
  3. Click "SIGN IN WITH OIDC" to authenticate as zot-ci
  4. Navigate to https://registry.ops.eblu.me/user/apikey
  5. Generate a new API key, copy it to clipboard
  6. Update 1Password: 
    pbpaste | op item edit "Forgejo Secrets" --vault blumeops "zot-ci-api[password]=-"
  7. Sync to Forgejo: mise run provision-indri -- --tags forgejo_actions_secrets

Related